WEBVTT

0:00:02.840000 --> 0:00:08.100000
 Hello and welcome to this video
 titled an overview of WPA2.

0:00:08.100000 --> 0:00:10.760000
 Let's go over the topics
 I'm going to cover.

0:00:10.760000 --> 0:00:15.280000
 I'm going to start by talking about the
 downsides of WPA's 2's precursor,

0:00:15.280000 --> 0:00:20.340000
 which was WPA. We're going to look
 at a timeline of Wi-Fi security and

0:00:20.340000 --> 0:00:24.060000
 see how WPA2 fit into
 that timeline.

0:00:24.060000 --> 0:00:28.820000
 We're going to compare and contrast
 the key management mechanisms of WPA

0:00:28.820000 --> 0:00:34.160000
 and WPA2. We're going to briefly talk
 about the differences between WPA2

0:00:34.160000 --> 0:00:35.780000
 personal and enterprise additions.


0:00:35.780000 --> 0:00:40.600000
 I'm going to finish with a summary
 of the differences between WPA and

0:00:40.600000 --> 0:00:47.360000
 WPA2. So in order to really understand
 and appreciate WPA2, we need to

0:00:47.360000 --> 0:00:51.380000
 take a look at its precursor, which
 was Wi-Fi protected access or just

0:00:51.380000 --> 0:00:56.480000
 WPA, and what the downsides
 were of this.

0:00:56.480000 --> 0:01:01.380000
 So initially, Wi-Fi protected
 access only supported T-KIP.

0:01:01.380000 --> 0:01:04.960000
 So if you remember from other videos
 or from your own studies, you might

0:01:04.960000 --> 0:01:09.140000
 recall that the history of security
 with Wi-Fi was that WPA2 came out

0:01:09.140000 --> 0:01:13.360000
 first, wired equivalent privacy, and
 WPA2 used an encryption standard

0:01:13.360000 --> 0:01:18.820000
 called RC4. That was the cipher that
 was used to encrypt and decrypt data.

0:01:18.820000 --> 0:01:23.100000
 Now the problem with WPA2 and RC4 was
 that used just a static passphrase

0:01:23.100000 --> 0:01:26.460000
 that never changed to
 derive the base key.

0:01:26.460000 --> 0:01:29.260000
 And that was what was used to encrypt
 and decrypt everything.

0:01:29.260000 --> 0:01:33.380000
 And because it never changed, it was
 very easily crackable and hackable,

0:01:33.380000 --> 0:01:36.760000
 especially as devices got
 more and more powerful.

0:01:36.760000 --> 0:01:41.240000
 So T-KIP, what T-KIP did was they said,
 hey, let's still use RC4 as sort

0:01:41.240000 --> 0:01:44.860000
 of our base for encrypting and decrypting
 stuff, but we're going to add

0:01:44.860000 --> 0:01:46.960000
 some additional features to this.

0:01:46.960000 --> 0:01:51.560000
 For example, we're going to
 have per packet encryption.

0:01:51.560000 --> 0:01:54.980000
 So each packet's going to have a different
 encryption key that just changes

0:01:54.980000 --> 0:01:58.980000
 over time. So that'll be a
 lot harder to crack things.

0:01:58.980000 --> 0:02:05.260000
 But T-KIP is still based off of RC4,
 which is still not as secure overall

0:02:05.260000 --> 0:02:10.400000
 as a cipher method as other cipher methods
 that have been available for

0:02:10.400000 --> 0:02:15.820000
 several years. And remember,
 WPA was meant as a stopgap.

0:02:15.820000 --> 0:02:21.060000
 In other words, the Wi-Fi alliance said,
 WPA is broken, WPA is very easily

0:02:21.060000 --> 0:02:25.680000
 crackable. They got a draft of something
 that was going to come out, which

0:02:25.680000 --> 0:02:30.420000
 was 802.11i, which had not
 been formally finished yet.

0:02:30.420000 --> 0:02:33.780000
 But based on that draft, they said,
 hey, what's in this draft is still

0:02:33.780000 --> 0:02:36.760000
 better than what WPA
 currently offers.

0:02:36.760000 --> 0:02:41.720000
 So even though the final version of 802
.11i might not look like this draft,

0:02:41.720000 --> 0:02:45.360000
 we're going to go with what the draft
 has right now, because people need

0:02:45.360000 --> 0:02:47.260000
 something right now.

0:02:47.260000 --> 0:02:51.180000
 So they came up with
 WPA to do that.

0:02:51.180000 --> 0:02:57.100000
 Now, once 802.11i was formally ratified,
 it became clear that it had some

0:02:57.100000 --> 0:03:02.640000
 differences than the draft that
 WPA had been based off of.

0:03:02.640000 --> 0:03:07.560000
 And the formal 802.11i was actually
 stronger than what the draft status

0:03:07.560000 --> 0:03:16.860000
 had been. So WPA2 is basically the
 full implementation of the standard

0:03:16.860000 --> 0:03:25.400000
 of 802.11i. So it includes, for example,
 a much stronger encryption cipher,

0:03:25.400000 --> 0:03:31.940000
 AES CCNP, or depending on the paper
 you read, sometimes it's CCNP-AES.

0:03:31.940000 --> 0:03:37.980000
 And I'll talk about what those acronyms
 stand for in just a moment.

0:03:37.980000 --> 0:03:41.220000
 So the RCP-AES-C4 had
 previously been.

0:03:41.220000 --> 0:03:46.880000
 And if you're doing the enterprise version
 of WPA2, you have to use AES

0:03:46.880000 --> 0:03:56.080000
 CCNP. So T-Kip with RC4, no longer
 an option with WPA2 Enterprise.

0:03:56.080000 --> 0:04:02.320000
 Also, WPA2 said that you could
 use 802.1x in an ad hoc mode.

0:04:02.320000 --> 0:04:08.800000
 Quite honestly, I have no idea how that
 would work because 802.1x requires

0:04:08.800000 --> 0:04:12.040000
 connecting to a authentication
 server.

0:04:12.040000 --> 0:04:15.320000
 But be that as it may, they somehow
 manage to figure out how that would

0:04:15.320000 --> 0:04:16.600000
 work in an ad hoc mode.

0:04:16.600000 --> 0:04:19.660000
 And in case you're not familiar with
 that term ad hoc, that means that

0:04:19.660000 --> 0:04:24.600000
 one Wi-Fi client can directly connect
 and associate with another Wi-Fi

0:04:24.600000 --> 0:04:26.940000
 client. In other words, there's
 no access point involved.

0:04:26.940000 --> 0:04:31.000000
 This is like a point-to-point connection
 between two laptops or something

0:04:31.000000 --> 0:04:33.660000
 using 802.11 Wi-Fi.

0:04:33.660000 --> 0:04:35.740000
 They call that ad hoc mode.

0:04:35.740000 --> 0:04:38.540000
 Hardly used at all anymore.

0:04:38.540000 --> 0:04:43.060000
 And so even though this was an enhancement
 with 802.11i, it's an enhancement

0:04:43.060000 --> 0:04:45.480000
 that wasn't really
 used by anybody.

0:04:45.480000 --> 0:04:51.400000
 Also 802.11i, which was incorporated into
 WPA2, had some options for speeding

0:04:51.400000 --> 0:04:54.520000
 up 802.1x re-authentication.

0:04:54.520000 --> 0:04:59.640000
 So what that meant was that if your Wi
-Fi client was connected to a wireless

0:04:59.640000 --> 0:05:02.920000
 LAN, that was an enterprise mode.

0:05:02.920000 --> 0:05:08.680000
 So remember, WPA2 and WPA2 enterprise
 means we have 802.1x.

0:05:08.680000 --> 0:05:12.500000
 There's some server somewhere in the
 company that's authenticating you.

0:05:12.500000 --> 0:05:16.220000
 Well, the idea was, hey, if you left
 that wireless LAN, went somewhere

0:05:16.220000 --> 0:05:22.660000
 else, and then came back to that same
 wireless LAN, WPA2 had methods of

0:05:22.660000 --> 0:05:27.560000
 speeding up your process for re-authenticating
 on a wireless LAN you had

0:05:27.560000 --> 0:05:30.940000
 already previously
 participated in.

0:05:30.940000 --> 0:05:32.680000
 So here's our timeline.

0:05:32.680000 --> 0:05:40.340000
 So 2003, the Wi-Fi alliance introduced
 WPA, and then one year later, 802

0:05:40.340000 --> 0:05:42.860000
.11i was fully standardized.

0:05:42.860000 --> 0:05:44.480000
 It said, we're done with drafts.

0:05:44.480000 --> 0:05:46.240000
 It's finished. It looks good.

0:05:46.240000 --> 0:05:51.760000
 So that same year, the Wi-Fi alliance took
 802.11i and created a certification

0:05:51.760000 --> 0:05:59.380000
 called WPA2. And so if a vendor like
 Ruckus or Aruba or Maraki or Cisco

0:05:59.380000 --> 0:06:05.060000
 sent their access points to the Wi-Fi
 alliance, the Wi-Fi alliance could

0:06:05.060000 --> 0:06:08.760000
 run it through a series of tests, and
 if that device did all the things

0:06:08.760000 --> 0:06:13.380000
 that 802.11i said it should do, then
 they would get the seal of approval

0:06:13.380000 --> 0:06:19.800000
 saying this is WPA2 certified.

0:06:19.800000 --> 0:06:25.380000
 Now, with the way 802.11 works is that
 the original 802.11, as you can

0:06:25.380000 --> 0:06:28.160000
 see here, was brought out in 1997.


0:06:28.160000 --> 0:06:31.860000
 Now, over time, various committees
 get together and they say, hey, we

0:06:31.860000 --> 0:06:33.540000
 should enhance it this way.

0:06:33.540000 --> 0:06:36.120000
 We should add this little
 bell and whistle to it.

0:06:36.120000 --> 0:06:37.500000
 We should add this little
 feature to it.

0:06:37.500000 --> 0:06:42.240000
 And all those things are what's called
 clauses or amendments to 802.11.

0:06:42.240000 --> 0:06:50.660000
 So whenever you see 802.11 in a letter,
 like 802.11a, 802.11k, those are

0:06:50.660000 --> 0:06:53.680000
 examples of clauses or amendments
 to the standard.

0:06:53.680000 --> 0:06:58.680000
 And every once in a while, the big group
 of the IEEE, the big 802.11 committee

0:06:58.680000 --> 0:07:03.680000
 gets together and they roll all those
 amendments or clauses up into a

0:07:03.680000 --> 0:07:06.500000
 new form of 802.11.

0:07:06.500000 --> 0:07:11.260000
 So you can see here that the 802.11
 originally came out in 1997, then

0:07:11.260000 --> 0:07:15.880000
 10 years later, in 2007, they said,
 hey, we should take all the clauses

0:07:15.880000 --> 0:07:20.120000
 that have come out in the last 10 years
 and roll them up into the latest

0:07:20.120000 --> 0:07:23.440000
 and greatest 802.11 standard.

0:07:23.440000 --> 0:07:29.480000
 So if you had a device that was 802
.11 capable that was produced in 2007

0:07:29.480000 --> 0:07:35.880000
 and later, it supported 802.11a and
 b and g and i and all these things

0:07:35.880000 --> 0:07:37.420000
 that came before it.

0:07:37.420000 --> 0:07:44.160000
 All right, so let's compare key management
 and encryption between WPA

0:07:44.160000 --> 0:07:54.780000
 and WPA2. So WPA used T-KIP, which is
 the temporal key integrity protocol.

0:07:54.780000 --> 0:07:58.320000
 Like I mentioned, this was based on
 RC4, which is what was originally

0:07:58.320000 --> 0:08:00.240000
 implemented in WEP.

0:08:00.240000 --> 0:08:04.540000
 But T-KIP had an enhancement of providing
 for dynamic rotation of encryption

0:08:04.540000 --> 0:08:09.760000
 keys. So packets could have more frequent
 changes of how they were encrypted.

0:08:09.760000 --> 0:08:14.220000
 But it was based on the RC4 encryption
 cipher, and this is what Wi-Fi

0:08:14.220000 --> 0:08:19.440000
 protected access used, the
 original flavor of WPA.

0:08:19.440000 --> 0:08:25.160000
 Then when the 802.11i was fully ratified
 and standardized, they said,

0:08:25.160000 --> 0:08:29.720000
 hey, everybody should use this stronger
 form of encryption called CCNP,

0:08:29.720000 --> 0:08:35.160000
 and this is a mouthful counter mode
 with cipher block chaining message

0:08:35.160000 --> 0:08:37.340000
 authentication code protocol.

0:08:37.340000 --> 0:08:39.700000
 Good luck memorizing that.

0:08:39.700000 --> 0:08:41.840000
 But that's what CCNP stands for.

0:08:41.840000 --> 0:08:46.420000
 This was based off of a much stronger
 cipher, which is called AES, the

0:08:46.420000 --> 0:08:49.700000
 advanced encryption service.

0:08:49.700000 --> 0:08:54.320000
 I don't even know what the S stands
 for, but we'll see it at some point.

0:08:54.320000 --> 0:08:59.220000
 But the main point here is that AES was
 much stronger than RC4 even today.

0:08:59.220000 --> 0:09:04.860000
 And as I record this in 2019, AES is considered
 one of the strongest cipher

0:09:04.860000 --> 0:09:07.400000
 suites when it comes
 to encryption.

0:09:07.400000 --> 0:09:11.680000
 Like T-KIP, this also provided for
 the dynamic rotation of encryption

0:09:11.680000 --> 0:09:16.580000
 keys, and this first became
 available with WPA2.

0:09:16.580000 --> 0:09:21.760000
 Now, just like with WPA, how the original
 flavor of WPA had a personal

0:09:21.760000 --> 0:09:26.620000
 and an enterprise edition, that
 same thing held true with WPA2.

0:09:26.620000 --> 0:09:32.040000
 So with both forms of WPA and WPA2
 personal, we have this concept of a

0:09:32.040000 --> 0:09:33.800000
 static passphrase.

0:09:33.800000 --> 0:09:37.280000
 So everybody joining the wireless LAN
 has to know what this passphrase

0:09:37.280000 --> 0:09:40.560000
 is to join it, and they have to type
 it in somewhere into their laptop

0:09:40.560000 --> 0:09:42.280000
 or tablet or something.

0:09:42.280000 --> 0:09:44.440000
 So this is used for initial
 authentication.

0:09:44.440000 --> 0:09:47.460000
 This is also used to derive
 the encryption key.

0:09:47.460000 --> 0:09:52.580000
 And because it's static, not as
 secure as the enterprise flavor.

0:09:52.580000 --> 0:09:58.080000
 So the encryption key can be up to 256
 bits in length or something smaller

0:09:58.080000 --> 0:10:03.480000
 than that. It is derived from that static
 passphrase, plus other elements

0:10:03.480000 --> 0:10:06.280000
 like the SSID and other things.

0:10:06.280000 --> 0:10:10.540000
 And when it comes to encryption, encryption
 is done between the access

0:10:10.540000 --> 0:10:12.560000
 point and the client.

0:10:12.560000 --> 0:10:19.140000
 Now with WPA2 personal,
 you had a choice.

0:10:19.140000 --> 0:10:23.940000
 You see, the original idea behind T
-KIP was they said, hey, you know,

0:10:23.940000 --> 0:10:29.000000
 in 1997, back when devices first started
 doing Wi-Fi with the original

0:10:29.000000 --> 0:10:36.060000
 802.11, devices were programmed in
 software to do RC4 encryption.

0:10:36.060000 --> 0:10:40.400000
 So think about your laptops
 and PCs from 1997, right?

0:10:40.400000 --> 0:10:41.660000
 Nothing like what we used today.

0:10:41.660000 --> 0:10:44.200000
 Their processing power
 was much smaller.

0:10:44.200000 --> 0:10:45.800000
 Their memory was much smaller.

0:10:45.800000 --> 0:10:52.020000
 So RC4 was an encryption cipher that could
 be done in those very old devices.

0:10:52.020000 --> 0:10:57.220000
 Now when WPA came out, they said, hmm,
 we're still dealing with devices

0:10:57.220000 --> 0:10:59.240000
 out here that aren't
 very powerful.

0:10:59.240000 --> 0:11:02.920000
 So even though there might be other
 encryption ciphers out there which

0:11:02.920000 --> 0:11:06.440000
 are really good, really powerful, we
 can't tell people to start using

0:11:06.440000 --> 0:11:09.720000
 that because that would require
 some sort of a hardware upgrade.

0:11:09.720000 --> 0:11:14.180000
 Then I had to swap out their CPU or
 put in some new hardware element,

0:11:14.180000 --> 0:11:16.040000
 some new ASIC or something
 to do that.

0:11:16.040000 --> 0:11:18.040000
 We don't want to force
 people to do that.

0:11:18.040000 --> 0:11:19.600000
 So they came up with T-KIP.

0:11:19.600000 --> 0:11:23.740000
 T-KIP was they said, hey, with just
 a firmware upgrade, just downloading

0:11:23.740000 --> 0:11:27.060000
 some software and installing on your
 Wi-Fi NIC card or something, you

0:11:27.060000 --> 0:11:31.140000
 should be able to upgrade
 RC4 to now do T-KIP.

0:11:31.140000 --> 0:11:37.440000
 Now when WPA2 came out and it said,
 hey, you should use AES with CCNP.

0:11:37.440000 --> 0:11:43.480000
 Well, AES with CCNP was much more processor
 and memory intensive than

0:11:43.480000 --> 0:11:46.000000
 what T-KIP had previously been.

0:11:46.000000 --> 0:11:50.480000
 So for the personal edition of WPA2,
 they said, look, we'll give people

0:11:50.480000 --> 0:11:55.160000
 a choice. We would prefer that
 they use CCNP with AES.

0:11:55.160000 --> 0:11:56.240000
 That's recommended.

0:11:56.240000 --> 0:11:58.640000
 That'll get you your
 strongest encryption.

0:11:58.640000 --> 0:12:03.000000
 But if you have an older device, an
 older laptop or tablet that doesn't

0:12:03.000000 --> 0:12:07.220000
 support that, you can still do WPA2,
 but now you're going to fall back

0:12:07.220000 --> 0:12:11.140000
 to the older way of doing
 RC4 with T-KIP.

0:12:11.140000 --> 0:12:15.500000
 So you're not really getting a lot of
 the benefits there of WPA2 if you're

0:12:15.500000 --> 0:12:17.220000
 using the older RC4 T-KIP.

0:12:17.220000 --> 0:12:21.060000
 You really want to
 use CCNP with AES.

0:12:21.060000 --> 0:12:24.260000
 So how do we identify this?

0:12:24.260000 --> 0:12:28.660000
 Well, if we take a look at a Wi-Fi network,
 like we can see right here,

0:12:28.660000 --> 0:12:34.940000
 it'll say right on it, WPA2 personal,
 or like this one right here, this

0:12:34.940000 --> 0:12:40.280000
 one supports both the older WPA personal
 as well as WPA2 personal.

0:12:40.280000 --> 0:12:43.460000
 So something about it within the beacons
 that it's sending you, advertising

0:12:43.460000 --> 0:12:49.180000
 that wireless LAN will tell you which
 flavor of WPA it's using and that

0:12:49.180000 --> 0:12:50.820000
 it's pre-shared key.

0:12:50.820000 --> 0:12:57.040000
 It might say PSK, it might say pre
-share, or it might say personal.

0:12:57.040000 --> 0:12:59.980000
 Either way, this means you have to
 have a pre-shared key or a password

0:12:59.980000 --> 0:13:10.040000
 to access it. Now with the enterprise
 version, this requires 802.1x.

0:13:10.040000 --> 0:13:14.820000
 And so this is a lot more complicated, you'll
 have to have an 802.1x supplicant

0:13:14.820000 --> 0:13:19.920000
 on your laptop or smartphone or tablet
 to support this, but enterprise

0:13:19.920000 --> 0:13:25.920000
 requires AES CCNP and your keys are
 unique from everybody else on the

0:13:25.920000 --> 0:13:29.140000
 wireless LAN. So if you and John and
 Sally are all connected to the same

0:13:29.140000 --> 0:13:34.640000
 access point, virtually impossible for
 you to crack John and Sally's Wi

0:13:34.640000 --> 0:13:35.840000
-Fi transmissions.

0:13:35.840000 --> 0:13:39.020000
 Even if you happen to capture them in
 a sniffer, everybody's using different

0:13:39.020000 --> 0:13:44.620000
 unique keys, so it's
 much, much stronger.

0:13:44.620000 --> 0:13:49.480000
 So whenever you see the word enterprise,
 just always think in your mind,

0:13:49.480000 --> 0:13:56.920000
 that's 802.1x. So as a summary of this,
 just comparing and contrasting

0:13:56.920000 --> 0:14:03.020000
 the two, just as a review, Wi-Fi protected
 access, the first version,

0:14:03.020000 --> 0:14:08.180000
 was a draft version of 802.11i.

0:14:08.180000 --> 0:14:14.720000
 Wi-Fi protected access too is fully
 compliant with the ratified version,

0:14:14.720000 --> 0:14:19.580000
 the standard version of 802.11i,
 after all the drafts were done.

0:14:19.580000 --> 0:14:22.960000
 Both offer a personal and
 enterprise edition.

0:14:22.960000 --> 0:14:26.100000
 Personal means you're using
 a pre-shared key.

0:14:26.100000 --> 0:14:30.400000
 This is typically for your home
 office or a small office.

0:14:30.400000 --> 0:14:34.340000
 Enterprise is for larger Wi-Fi deployments
 and that's where you're using

0:14:34.340000 --> 0:14:40.620000
 802.1x. And even though enterprise is
 more secure, most companies still

0:14:40.620000 --> 0:14:45.660000
 use either WPA or WPA2 personal simply
 because it's easier to configure

0:14:45.660000 --> 0:14:50.280000
 and implement. So that
 concludes this video.

0:14:50.280000 --> 0:14:52.740000
 I hope you found it useful
 and thank you for watching.